[lug] PHP/files/security
jkraai at murlmail.com
jkraai at murlmail.com
Sun Jan 21 11:05:12 MST 2001
What security issues w/ include files? If PHP is properly configured,
and you reasonably keep up with PHP releases there aren't any.
We've written (and rewritten) over 40k lines of PHP. Security was a
big concern, and include files were integral to our strategy.
We put stub files in $BASE/docs and set the php.ini PHP_INCLUDE_PATH
directive to point to some other directory which was inaccessible
to the outside world, say $BASE/incl, which had all of the interesting
logic.
This way, even if we had a configuration problem w listed the source
of the files under $BASE/doc, no one on the outside could get to the
real code.
What are the security concerns w/ include files?
--jim
On Sun, Jan 21, 2001, at 10:07:24 AM John Starkey <jstarkey at advancecreations.com> wrote:
--------------------------------------------------
Hello all.
Can anyone recommend info on security concerns when using PHP with
includes? The app I'm working on is a user desktop for researching medical
issues and the amount of code with all the accessories would be scrolling
for days but they don't wanna use includes because of the security issues.
I can't see an issue unless the script will be editting files on the
drive. Seems to me that if someone does have file level access and can
upload a maliscous script and incorp it into your PHP files they wouldn't
be wasting their time with this. You've got much bigger trouble on your
hands.
TIA,
John
_______________________________________________
Web Page: http://lug.boulder.co.us
Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
------------------------------------------------------------------
You've received MurlMail! -- FREE, web-based email, accessible
anywhere, anytime from any browser-enabled device. Sign up now at
http://murl.com
Murl.com - At Your Service
More information about the LUG
mailing list